Contact us
Eli Benitah

Eli Benitah

New Rules Deployed

August 11th, 2023

Facebook
Twitter
LinkedIn

Windows/Network Connection:

  1. Connection Initiated Via Certutil.EXE
  2. Equation Editor Network Connection
  3. Download a File with IMEWDBLD.exe
  4. Communication To Mega.nz

Windows/System or Application/Service Control Manager:

  1. Suspicious Service Installation Script
  2. Turla PNG Dropper Service
  3. CobaltStrike Service Installations – System
  4. Windows Defender Threat Detection Disabled – Service
  5. smbexec.py Service Installation
  6. Invoke-Obfuscation Obfuscated IEX Invocation – System
  7. Invoke-Obfuscation STDIN+ Launcher – System
  8. Invoke-Obfuscation VAR+ Launcher – System
  9. Anydesk Remote Access Software Service Installation
  10. Hacktool Service Registration or Execution


Drive Load:

  1. Usage Of Malicious POORTRY Signed Driver
  2. PowerShell Scripts Run by Services


Azure/Azure Active Directory:

  1. Member Added to Group – Azure AD
  2. Multiple Members Added To Group – Azure AD2


Windows/Image Load:

  1. Suspicious Unsigned Dbghelp-Dbgcore DLL Loaded
  2. PCRE.NET Package Image Load
  3. Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  4. Suspicious Interactive PowerShell as SYSTEM
  5. Suspicious Scheduled Task Write to System32 Tasks
  6. Suspicious Startup Folder Persistence


Windows/Files:

  1. UEFI Persistence Via Wpbbin – FileCreation
  2. WMI Persistence – Script Event Consumer File Write
  3. Creation of a WerFault.exe in Unusual Folder
  4. UAC Bypass Using Windows Media Player – File
  5. UAC Bypass Abusing Winsat Path Parsing – File
  6. Suspicious Interactive PowerShell as SYSTEM
  7. Suspicious Scheduled Task Write to System32 Tasks
  8. Suspicious Startup Folder Persistence
  9. NPPSpy Hacktool Usage
  10. Powerup Write Hijack DLL


Fortigate@Fortinet:

  1. Fortigate Audit – System Changes Outside Working Hours


Windows/Process Creation:

  1. Certificate Exported Via Certutil.EXE
  2. Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  3. Findstr Suspicious ParentCommandLine
  4. Use NTFS Short Name in Image
  5. Sdclt Child Processes
  6. Potential UAC Bypass Via Sdclt.EXE


Windows/PowerShell:

  1. Potential Registry Reconnaissance Via PowerShell Script
  2. PowerShell Set-Acl On Windows Folder – PsScript
  3. PowerShell Script Change Permission Via Set-Acl – PsScript


365 Defender:

  1. Collection – 365 Defender
  2. Defense Evasion – 365 Defender
  3. Ransomware – 365 Defender
  4. Credential Access – 365 Defender


Web Cache:

  1. Potential CVE-2303-36884 URL Request Pattern Traffic


Pulse Connect Secure@Pulse Secure:

  1. User Connected by VPN Outside Working Hours – Pulse Secure


Windows/Registry:

  1. UAC Bypass via Sdclt

More to explorer

New Deployed Rules

November 5, 2023 No Comments

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

November 5, 2023 No Comments

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

October 31, 2023 No Comments

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Follow us:

Facebook-f Linkedin-in Twitter

Site map

Get in Touch:

[email protected]o

+972-523-429108

Hanofar 2, Raanana, israel

Contact Us >

Time to market

One-day SIEM integration

Learn more